* [Buildroot] [git commit branch/2022.02.x] package/python-django: security bump to version 4.0.4
@ 2022-05-22 10:10 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2022-05-22 10:10 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=c47ac4aa466de8e8b6ffc592f5fffbef4c8b73e7
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x
Fixes the following security issues:
CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra()
QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL
injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods.
CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL
QuerySet.explain() method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
**options argument.
For more details, see the advisory:
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 87b8676fbfe57253696864cc3bf20e85852b9c8b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-django/python-django.hash | 4 ++--
package/python-django/python-django.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-django/python-django.hash b/package/python-django/python-django.hash
index f78df56c5f..8d9f0aafdb 100644
--- a/package/python-django/python-django.hash
+++ b/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/django/json
-md5 a86339c0e87241597afa8744704d9965 Django-4.0.2.tar.gz
-sha256 110fb58fb12eca59e072ad59fc42d771cd642dd7a2f2416582aa9da7a8ef954a Django-4.0.2.tar.gz
+md5 153fcb5dd7360b7ad219d65cb53e2d57 Django-4.0.4.tar.gz
+sha256 4e8177858524417563cc0430f29ea249946d831eacb0068a1455686587df40b5 Django-4.0.4.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
diff --git a/package/python-django/python-django.mk b/package/python-django/python-django.mk
index 652ca477ce..b4d6ec21c9 100644
--- a/package/python-django/python-django.mk
+++ b/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
#
################################################################################
-PYTHON_DJANGO_VERSION = 4.0.2
+PYTHON_DJANGO_VERSION = 4.0.4
PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
# The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/61/84/676c840e8f1188a6c836e3224b97aa8be4c2e6857c690d6c564eb23a4975
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/d2/95/93d1f75da95624bf89e373d079fa72debf77f9b10acc31998cc52a5ff3f9
PYTHON_DJANGO_LICENSE = BSD-3-Clause
PYTHON_DJANGO_LICENSE_FILES = LICENSE
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-05-22 10:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-22 10:10 [Buildroot] [git commit branch/2022.02.x] package/python-django: security bump to version 4.0.4 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.